What the private sector could contribute to the data retention debate

By Michael Lee

CSO|

It is impossible to discuss the recent debate around data retention in Australia without eventually coming back to information security -- encryption, the secure storage of digital records, and meta data are just some of the topics that are traditionally security issues. However, they are the same issues that have been addressed time and time again in the private sector.

Security company RSA has spent a lot of time tackling this issue in the private sector, understanding that a company must protect the privacy of its customers, while still being able to ensure nothing illegal is occurring within its own userbase. There are several lessons that can be abstracted from the years of experience that the private sector has to look at what needs to be present in a possible data retention scheme.

Security and privacy magnets - How do they work?

For privacy to exist in the digital world, it requires some form of structure to enable it – that structure is security. Security and privacy are like magnets – put together the right way, they are attracted to each other. But put together the wrong way, they repel one another.

To ensure they marry up correctly in the private sector, a framework of transparency and good governance is required. This had led many leading companies to formalise transparency and governance policies regarding the lawful collection and use of personally identifiable information and Big Data by IT security organizations, governments and other entities. These have been the necessary elements required to ensuring that there is a balance of trust between privacy and security.

For a government asking for information on its citizens, the same concepts apply. There is undoubtedly valuable information that can assist law enforcement in performing their duties, but this can only be used confidently if the right controls and oversight are in place to ensure that there is a valid reason for accessing the data. Like the private sector, data governance and transparency by government is necessary to reassure the general public on its use and benefits.

Necessary information for data retention

In the private sector, it is commonly accepted that confidentiality, integrity and availability are cornerstone requirements for information security within an organisation. Confidentiality is a set of rules that limits access to information, integrity is the assurance that the information is trustworthy and accurate, and availability is a guarantee of reliable access to the information by the right people.

Looking at a broader picture of nationwide data retention, confidentiality is roughly equivalent to privacy. The lesson that could be learned here is to ensure that certain measures are put in place to prevent sensitive information from reaching the wrong people.

In order to tackle this, the private sector has spent significant amounts of time classifying all data that it might make available for analysis. This is a key process for managing the security and privacy of data, as no action can be assigned to the information if it cannot be determined what it is.

Just as organisations are required to spend time clearly classifying what data they are protecting, it is important that any data retention scheme also classifies what data is being retained in order to prevent it from being misused. Without the ability to know what class of data is being used, it is not possible to determine what level of confidentiality should be applied to it, whether it should be discarded immediately, or whether it can be used without infringing civil liberties.